feat(webui): add browser terminal interface via ttyd

Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands.
2026-04-14 22:25:38 +02:00 · 2026-04-14 22:25:38 +02:00 · 9b8562b746
commit 9b8562b746
parent c01102b641
7 changed files with 209 additions and 92 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -8,7 +8,7 @@ services:
      context: .
      dockerfile: Dockerfile.proxy
    networks:
-      - claude-internal   # reachable by the claude container
+      - claude-internal   # reachable by claude and webui containers
      - proxy-external    # has outbound internet access
    restart: unless-stopped
    security_opt:
@ -21,7 +21,7 @@ services:
      - /var/spool/squid
      - /var/log/squid

-  # ─── Claude Code container ─────────────────────────────────────────────────
+  # ─── Claude Code CLI container ─────────────────────────────────────────────
  # No direct internet access. All egress routes through the proxy sidecar.
  # Run via "docker compose run --rm claude" (managed by claude.sh).
  claude:
@ -48,6 +48,41 @@ services:
    # Workspace is injected by claude.sh via --volume flag at run time.
    # Default: named Docker volume. Override: set WORKSPACE_DIR on the host.

+  # ─── Claude Code web interface ─────────────────────────────────────────────
+  # Serves Claude Code as a browser terminal via ttyd (port 7681).
+  # Protected by HTTP basic auth — set WEBUI_USER / WEBUI_PASSWORD in .env.
+  # Network isolation is identical to the CLI container.
+  webui:
+    build:
+      context: .
+      dockerfile: Dockerfile.claude
+    entrypoint: ["/usr/local/bin/webui-entrypoint.sh"]
+    depends_on:
+      proxy:
+        condition: service_healthy
+    networks:
+      - claude-internal   # only — no route to the internet
+    environment:
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+      - HTTP_PROXY=http://proxy:3128
+      - HTTPS_PROXY=http://proxy:3128
+      - ALL_PROXY=http://proxy:3128
+      - NO_PROXY=localhost,127.0.0.1
+      - WEBUI_USER=${WEBUI_USER:-claude}
+      - WEBUI_PASSWORD=${WEBUI_PASSWORD:-}
+      - WEBUI_PORT=7681
+    ports:
+      - "0.0.0.0:7681:7681"
+    volumes:
+      - claude-web-workspace:/workspace
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    stdin_open: true
+    tty: true
+    restart: unless-stopped
+
 networks:
  # Internal-only: Docker adds no default gateway → no direct internet route
  claude-internal:
@ -57,3 +92,7 @@ networks:
  # External: standard bridge with internet access (proxy only)
  proxy-external:
    driver: bridge
+
+volumes:
+  # Persistent workspace for the web interface
+  claude-web-workspace: